Email authentication has become a significant practice in cybersecurity, owing to the increased threat of impersonation of legitimate and well-known organizations. A DMARC policy defined within the sender’s DNS incorporated into a simple TXT record, can successfully address these concerns and improve the sender’s mail delivery rates.
A domain’s DMARC policy contains instructions for email receivers on how to handle messages that fail authentication checks. This policy can specify three possible actions:
- DMARC none
- DMARC quarantine
- DMARC reject
DMARC policy at “reject” significantly minimizes the risk of domain abuse, brand impersonation, phishing, and spoofing attacks.
DMARC for Email Authentication and Spoofing Protection
DMARC or Domain-based Message Authentication, Reporting and Conformance, is a protocol designed to authenticate emails with the help of two other protocols, namely SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). Domain owners can configure DMARC using either of these protocols, or both for more robust protection against cyber attacks.
To start the setup process, you need to make a few DNS changes and include DNS records for the protocols. On activation, your DMARC Policy record then validates every message sent from your domain name against SPF and DKIM, to establish whether it’s from a genuine source and decides what to do if it’s not.
What is a DMARC Policy?
A DMARC policy is a TXT instruction, denoted by the “p” tag in the DMARC record that specifies to receiving mail servers the action they should take if an email fails DMARC validation. A sender can opt for different policies depending on how stringently they want receivers to handle non-compliant emails, for example, an enforced DMARC policy like p=reject is an effective way to reduce threats like phishing, spoofing, and domain name impersonation while p=none will have no effect.
3 Types of DMARC Policy: p=reject, p=none, p=quarantine
Depending on the level of enforcement domain owners want to establish, there are 3 primary DMARC policy types – none, quarantine, and reject. The main difference between these policy options is determined by the action taken by the receiving mail transfer agent when adhering to the specified policy defined by the mail sender in their DNS record.
. Here, p is the parameter that specifies DMARC policy:
- DMARC None: A “monitoring only” policy that serves no protection – good for the beginning stages of your deployment journey.
- DMARC Quarantine: Flags or quarantines unauthorized emails.
- DMARC reject: Blocks inbox access to unauthorized emails
1. DMARC None Policy
DMARC policy none (p=none) is a relaxed DMARC policy that is implemented during the initial implementation stages of DMARC to monitor email activities – best suited for organizations that are just starting out on their authentication journey. It doesn’t provide any level of protection against cyberattacks.
Example: v=DMARC1; p=none; rua= mailto:(email address);
- The main aim of domain owners who select the “none” policy should be to gather information on sending sources and keep a tab on their communications and deliverability without any inclination towards strict authentication. This may be because they are not yet prepared to commit to enforcement, and are taking their time to analyze the current situation.
- Receiving email systems treat messages sent from domains configured with this policy as “no-action”, meaning that even if these messages fail DMARC, no action will be taken to discard or quarantine them. These messages will successfully reach your clients.
- DMARC reports are still generated when you have “p=none” set up. The recipients transmit aggregate reports to the domain owners, providing detailed authentication status information for the messages that appear to originate from their domain.
2. DMARC Quarantine Policy
p=quarantine provides some level of protection as the domain owner can prompt the receiver to roll back emails into the spam folder to review later in case of DMARC fail.
Example: v=DMARC1; p=quarantine; rua=mailto:(email address);
Rather than outright discarding unauthenticated emails, the “quarantine” policy offers the ability for domain owners to maintain security while also providing the option to review emails before accepting them, taking the “verify then trust” approach.
This ensures that legitimate messages that fail DMARC authentication will not be lost before you closely inspect them. This approach can be considered intermediate in terms of enforcement and facilitates a smooth transition to p=reject, wherein domain owners can a) assess the impact of DMARC on your email messages and b) make informed decisions regarding whether or not they should discard the flagged emails.
3. DMARC Reject Policy
Finally, the reject DMARC policy (p=reject) is an enforcement policy that ensures messages failing authentication for DMARC are rejected and discarded by the receiver’s email server, thereby providing maximum enforcement.
Example: v=DMARC1; p=reject; rua= mailto:(email address);
DMARC reject can prevent phishing attacks, direct domain spoofing, and other fraudulent emails, by blocking out messages that appear suspicious. If you are confident enough not to give leeway to unauthorized emails by diverting them to a separate folder for review, the “reject” policy is suitable for you.
However, keep the following in mind:
- Thoroughly test and plan before opting for DMARC reject
- Make sure reporting is enabled for your domain
- Ideally, opt for a hosted DMARC solution to get expert assistance with your DMARC implementation and throughout your enforcement journey.
Benefits of Enforcing Your DMARC Policy
Let’s delve into the advantages of setting up a strict DMARC policy for your domain:
1. Direct Protection Against Phishing and BEC
When you are on DMARC reject, emails originating from unauthenticated sources are automatically discarded before they make it to your recipient’s inbox – offering direct protection against phishing attacks, business email compromise, and CEO fraud.
2. The first line of Defense Against Ransomware and Malware
Ransomware and Malware are often spread via fake emails sent from impersonated domain names and can infiltrate and completely take over your operating system. A DMARC policy at reject ensures that ingenuine emails are blocked out of your client’s inbox before they get the chance to click on harmful attachments and unknowingly download ransomware or malware into their system – thereby acting as an elementary line of defense against these attacks.
Best DMARC Policy Type
DMARC reject is the best DMARC policy if you want to maximize your email security efforts. This is because when on p=reject, domain owners actively block unauthorized messages from their client’s inboxes. This provides a high degree of protection against direct-domain spoofing, phishing, and other forms of impersonation threats making it an effective anti-phishing policy.
- To monitor your email channels: If you simply want to monitor your message transactions and sending sources, a DMARC at p=none is enough. This will however not protect you against cyberattacks.
- To protect against Phishing and Spoofing Attacks: If you want to protect your domain against phishing attacks and direct-domain spoofing, DMARC p=reject is imperative. It provides the highest level of DMARC enforcement and effectively minimizes impersonation attacks.
- To review suspicious emails before they are delivered: If you don’t want to outright block unauthorized emails, you can instead allow your receivers to review them in their quarantine folder using a DMARC quarantine as your best bet.
Busting Common DMARC Policy Myths
There are some common misconceptions about DMARC policies, some of which can have terrible consequences on your mail delivery. Let’s learn what they are and what is the truth behind them:
1. DMARC none can prevent spoofing: DMARC none is a “no-action” policy and cannot protect your domain against cyberattacks.
Which DMARC policy prevents spoofing?
A DMARC p=reject is the only DMARC policy that is effective in preventing spoofing attacks. This is because DMARC reject blocks unauthorized emails from reaching your receiver’s inbox, thereby stopping them from accepting, opening, and reading bad emails.
2. You won’t receive DMARC reports at p=none: Even when on p=none you can continue to receive daily DMARC reports by simply specifying a valid email address for the sender.
3. DMARC “quarantine” is not important: Often overlooked, the quarantine policy in DMARC is extremely useful for domain owners seeking to make a smooth transition from no-action to maximum enforcement.
4. DMARC reject impacts deliverability: Even on DMARC reject, you can ensure your messages are delivered seamlessly by monitoring and analyzing the activities of your senders and reviewing authentication results.
Steps to setup your DMARC policy
Step 1: Enable SPF or DKIM for your domain by generating your free record.
Step 2: Create a DMARC record using our DMARC generator tool. Make sure you fill in the DMARC p= parameter to define your DMARC policy like in the example below:
v=DMARC1; pct=100; p=reject; rua=mailto:[email protected];
Step 3: Publish this record on your DNS
Troubleshoot DMARC Policy Errors
You should be wary of any syntax errors while setting up your record to make sure that your protocol functions correctly.
Errors while configuring the DMARC policy are common and can be avoided by using a DMARC checker tool.
DMARC sp Policy
If you configure a DMARC reject policy, but set up your subdomain policies to none, you will not be able to achieve compliance due to a policy override on your outbound emails.
“DMARC policy not enabled” error
If you come across this error message in your reports, this points to a missing DMARC domain policy in your DNS or one that is set to “none”. Edit your record to incorporate p=reject/quarantine and this should fix the problem.
A Safer Way to Update, Enforce, and Optimize Your DMARC Policy
PowerDMARC’s DMARC analyzer platform is designed to help you effortlessly set up the DMARC protocol while providing a cloud-native interface to monitor and optimize your record with a few clicks of a button. Let’s explore its key benefits:
A smooth shift from p=none to p=reject
PowerDMARC’s extensive reporting mechanism offers 7 views and filtering mechanisms for your DMARC Aggregate reports on the DMARC analyzer dashboard to effectively monitor your email flows while on DMARC none.
Update and change your DMARC policy modes
Our hosted DMARC feature allows you to update your DMARC policy modes, shift to p=reject and monitor your protocol effectively and in real time without entering your DNS management console.
Our 24-hour active support team helps orchestrate a smooth transition from a relaxed to an enforced DMARC policy to maximize your security while ensuring deliverability.
Set up custom email alerts to detect any malicious activity and take action against threats sooner
Contact us today to implement a DMARC policy and monitor your results easily!